© G31000 2017 - Good practices in risk management standardization 1

The only ISO 31000 principles-based risk maturity model

Contents

• Why G31000 Risk Maturity Model?

• G31000 Risk Maturity Model structure

• Results of evaluation

• Next steps

© G31000 2017 - Good practices in risk management standardization 2

The concept of risk management maturity is introduced in ISO31000

• The current management practices and processes of manyorganizations include components of risk management, andmany organizations have already adopted a formal riskmanagement process for particular types of risk orcircumstances. In such cases, an organization can decide tocarry out a critical review of its existing practices andprocesses in the light of this International Standard.

(Source : ISO31000 Introduction)

• Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization.

(Source : Chapter 3 Principle K)

© G31000 2017 - Good practices in risk management standardization 3

G31000 RMM helpsorganizations assessalignment to ISO31000principles and currentmaturity level and todevelop a roadmap forcontinuous improvement

Why G31000 Risk Maturity Model?

• Global Institute for Risk Management Standards is anetwork of over 65,000 risk management expertsacross the world, more than 1000 people has beenISO31000 certified risk professionals

• G31000 Risk Management Maturity Model is the onlyglobally recognized model that has been designed toclosely align with the ISO31000:2009 principles

• Focuses not on formal elements of risk managementbut on the integration of risk management intoactivities, decision making and culture

• Created by a global team with extensive knowledge inrisk management and risk maturity models

• Endorsed by global organizations

© G31000 2017 - Good practices in risk management standardization 4

G31000 Risk Maturity Model structure (1/2)

• G31000 Risk Management Maturity Model isstructured around the ISO31000 principles

• Each of the 11 principles has a set of criteria totest current maturity and identifyopportunities for improvement

• The overall scoring system is based on adetailed questionnaire linked directly toidentified sub-components of all the principlesand is mapped to a 3-level risk maturity scale

• Available for self-assessment or externalvalidation, available in hard-copy or electronic

• Can be applied at any organizational, program,project or subsidiary levels

© G31000 2017 - Good practices in risk management standardization 5

Compliance-driven

Structured

Integrated

G31000 Risk Maturity Model structure (2/2)

© G31000 2017 - Good practices in risk management standardization 6

Each of the 11 principles covers:

▪ Detailed assessment criteria specifically

designed for each principle

▪ List of documents to review

▪ List of stakeholders to interview

▪ Sample interview questions related to

each principle

▪ Recommendations for the walkthrough

▪ Scoring criteria

▪ Worksheets for comments, maturity

assessment and opportunities for

improvement

Results of evaluation

• Current state of risk managementmaturity and alignment withISO31000 principles

• Identified gaps and opportunitiesfor improvement

• Specific recommendations andaction plans to improve riskmanagement practices across theorganization or its subsidiaries

• Statement of independentvalidation of your organizations riskmanagement practices (availablefor external assessments carried outby G31000 professionals only)

© G31000 2017 - Good practices in risk management standardization 7

C. Risk

management

is part of

decision

making

• Risk assessments during decision making is carried out informally or post factum only

• Information about the risks associated with decision-making is suppressed or discussed reluctantly

• Business units rarely act as risk assessment customers during the decision-making

• Strategic decisions are made by senior management without any expert risk management opinion

• Risk assessments are carried out for some of the most significant strategic decisions, however this is done ad-hoc and often not documented

• Whenever risk assessments for key decisions are done, risk information is communicated to the decision makers timely and in full, however not all stakeholders may be informed

• Significant strategic and budgetary decisions are made by the management only after analysing the risks associated with these decisions

• Key operating decisions are made only after risk assessments are complete

• Business units independently or with the help from risk management experts carry out risk assessments for key decisions

• Risk management department is involved in core operational decisions. Risk manager may veto some high-risk decisions

• In situations of high uncertainty risk management experts, stakeholders and risk owners are involved in the decision-making process

• Decisions are communicated to stakeholders, who may be impacted by the risks associated within these decisions

Compliance-driven Structured Integrated

A. Risk management creates and

protects value

B. Risk management is an integral

part of all organizational processes

C. Risk management

is part of decision making

D. Risk management

explicitly addresses

uncertainty

E. Risk management is systematic,

structured and timely

F. Risk management is based on

the best available

information

G. Risk management

is tailored

H. Risk management takes human and cultural factors into

account

I. Risk management

is transparent

and inclusive

J. Risk management is dynamic,

iterative and responsive to change

K. Risk management

facilitates continual

improvement of the

organization

Next steps

Order today to receive a

special promotional offer:

1. Hard copy of the G31000

RMM, including postage and

handling

2. Electronic copy of the G31000

RMM including the scoring

model (excel)

3. Complimentary updates of the

G31000 RMM for the next 3

years (due to be updated to

when ISO31000:2018 will be

published)

© G31000 2017 - Good practices in risk management standardization 8

Get the model (US$4,500 value) for FREE when you join certified ISO 31000 Lead Auditor (CTA31000) training in Dubai*

G31000 Middle East Ersoy Aksoy+971 4 5590258 (Dubai)Ersoy.Aksoy@G31000.ae

* 6th International ISO 31000 conference is scheduled on 24-25 September 2017 in Dubai, UAE. See : https://G31000conference.org/

Alternatively, you can purchase the G31000 RMM at the special offer of US$ 3,000 valid until 24 September 2017*

© G31000 2017 - Good practices in risk management standardization 9

Take the advanced course for

Certified ISO 31000 Lead Auditors:

✓ Two days advance course to become a certified ISO31000 Lead Auditor (CTA31000)

✓Special Examination for CTA 31000 auditors

✓Hard copy of the G31000 RMM, including postageand handling

✓Electronic copy of the G31000 RMM including thescoring model (excel)

✓Complimentary updates of the G31000 RMM for thenext 3 years (due to be updated to whenISO31000:2018 will be published)

✓Special price at USD 2,400 for C31000 riskProfessionals only

First advance course and Certification examination for ISO 31000 Lead Auditors will be organized after the international ISO 31000 risk management conference scheduled on 26-27 September 2017 in DubaiSee : https://G31000conference.org/